RFQ # 26002 - Architecture Observatory Tool

RFQ # 26002 - Architecture Observatory Tool PERS RFQ # 26002 Architecture Observatory Tool Page 2 of 12 REQUEST FOR QUOTES (RFQ) Best Value Analysis (BVA) Architecture Observatory Tool PERS-RFQ # 26002 OregonBuys # S-45900-00016150 Issue Date: February 26, 2026 Issuing Office: Public Employees Retirement System (PERS) RFQ Contact Information (Authorized Representative): Ryan Ellis, Procurement & Contracts Specialist Address: 11410 SW 68th Parkway Tigard, OR 97223 Phone: (503) 603-7505 E-mail: ryan.ellis@pers.oregon.gov Offer Due Date and Time: Thursday, March 19, 2026, 4:00PM PST. Service Category: Cloud Service Providers Issued to: Agreement / Participating Addendum #

• A&T Systems #8352
• Carahsoft #9412
• CDWG #9414
• Lumen (CenturyLink) #8355
• SHI International #9404
• Smartronix #8354
• Strategic Comm. #9413

Page 2 of 18 Introduction The Oregon Public Employee Retirement System (“OPERS”) is issuing this Request for Quote/Best Value Analysis (“RFQ/BVA”) seeking an Architecture Observability Tool (“Solution”). OPERS is pursuing a Software as a Service (“SaaS”) Solution. This RFQ is only for solutions that are hosted in the cloud, not hosted on premises. Offeror’s proposal must include all necessary end user licenses, modules, training, and maintenance/support agreements and costs. OPERS anticipates the Award of one (1) Purchase Order (“Contract”) as a result of this RFQ. Background Information OPERS is in the midst of a large-scale modernization program that requires a comprehensive view into the health, complexity, and risks of its current application portfolio. Many of the existing business-critical applications have grown over decades, spanning multiple technologies, frameworks, and integrations. This has resulted in a highly complex environment where it is difficult to fully understand application dependencies, technical debt, and the architectural impacts of proposed changes. To support informed decision-making, OPERS requires an Architecture Observability Tool that can automatically analyze applications at scale, generate accurate architecture models, and provide quantifiable measures of maintainability, security, and modernization readiness. The solution must go beyond traditional static code analysis by offering objective scoring models, industry benchmarks, and automated architecture discovery that can be integrated directly into enterprise architecture repositories and modernization roadmaps. Capability will allow OPERS to:

• Improve visibility into existing legacy applications and their dependencies, reducing

risks tied to modernization and cloud migration.

• Quantify technical debt and modernization readiness with objective metrics that can

guide executive decision-making and prioritization.

• Enable scenario modeling by providing fact-based insights into the impact of

refactoring, replatforming, or retirement strategies.

• Ensure alignment with enterprise architecture standards, including TOGAF, by

automatically generating architecture views that can be linked into the organization’s architecture repository.

• Integrate with DevOps and CI/CD pipelines to ensure ongoing observability as

applications evolve Architecture observability tool will provide OPERS with a single source of truth for application health, modernization planning, and architecture governance delivering both technical depth and business-level insights to guide the modernization journey. Scope and Desired Product Features a) The tool must have a proven track record of successful deployments in large-scale modernization projects within public sector organizations, with clear reference clients and documented outcomes. b) The platform must provide deep, automated code-level analysis across a broad range of technology stacks, including the ability to discover architecture and measure technical debt with precision scoring models. Page 3 of 18 c) The solution must support enterprise architecture alignment by offering built-in compliance with frameworks such as TOGAF, and must integrate directly into architecture repositories like OrbusInfinity without requiring custom development. d) The tool must deliver modernization readiness scores, maintainability indexes, and risk indicators that are based on industry-standard measurement models and can be traced back to proven methodologies. e) The platform must be capable of integrating seamlessly with CI/CD pipelines, cloud migration assessment tools, and observability platforms, with documented examples of production-level integrations. f) The vendor must offer comprehensive training, onboarding, and long-term support programs, backed by subject matter experts with demonstrable experience in similar project. g) Must be able to quantify technical debt in financial terms, linking issues to estimated remediation costs and modernization ROI. h) Must automatically generate architecture diagrams from code without manual intervention and update them dynamically when the codebase changes. i) Tool to support approximately two million lines of code. PERS requires the following additional services:

• Maintenance and Support – Offeror shall provide maintenance and unlimited support

for this product. Offeror is responsible for software maintenance and updates. Offeror shall provide and be available to provide support during OPERS operating hours: Monday through Friday 6:00AM to 6:00PM PST. Response to any support request must be made in fewer than two hours.

• Configuration and Data Migration - Offeror shall develop a data migration plan,

perform initial setup, and complete configuration services. o Scalability and Performance – The solution must be capable of supporting growth in user base and data volume without performance degradation. Offeror shall demonstrate performance benchmarks under comparable workloads and provide a roadmap for scaling services as OPERS’ needs expand. o Integration Services – Offeror shall provide integration capabilities with OPERS’ existing enterprise systems, including but not limited to CI/CD pipelines, enterprise architecture repositories, and cloud services. The solution must include APIs or connectors to facilitate seamless data exchange. o Documentation – Offeror shall deliver comprehensive documentation for system configuration, user guides, administrative functions, and ongoing operations. Documentation must be updated with each release or patch. o Knowledge Transfer – Offeror shall provide structured knowledge transfer sessions to OPERS staff to ensure internal teams can administer, configure, and use the system effectively after implementation. Page 4 of 18 o Product Roadmap and Innovation – Offeror shall provide a documented product roadmap demonstrating ongoing investment in product development, innovation in application observability, and continued alignment with emerging technology standards. o Security and Compliance – Offeror shall ensure the solution complies with State of Oregon IT security standards and applicable federal requirements. The solution must provide audit logs, role-based access controls, and data encryption in transit and at rest. Offeror shall provide documentation of compliance with recognized security frameworks (e.g., NIST, ISO, SOC 2).

• Training - Offeror shall provide a training package to OPERS staff. Acceptable

training formats may include online, pre-recorded, new user training, train the trainer, and training manuals. Although most of the training requests will be from the launch of the product, the Offeror shall provide ongoing training support. Contract Timelines PERS’s goal is to start utilizing this new Architecture Observatory Tool as soon as contract award. Transition Services At PERS’s option, the awarded vendor will perform any requested transition services which may include analysis, data migration, configuration, implementation services, consulting services, and returning data to PERS in a suitable format via electronic submission. If PERS elects to include transition services, such transition services will be included via amendment. PERS must have full access and possession of all created materials, data, and records that pertain to this project. Insurance Requirements Prior to execution of the Contract, the apparent successful Offeror shall secure and demonstrate to Agency proof of insurance coverage meeting the requirements identified in the solicitation or as otherwise negotiated. Failure to demonstrate coverage may result in Agency terminating Negotiations and commencing Negotiations with the next highest-ranking Offeror. Offeror shall obtain the required types of insurance specified in Attachment # 6 listed in this RFQ at their expense. Term of Service PERS anticipates the award of one Contract from this solicitation. The initial term of the Contract is anticipated to be for a one (1) year term with optional annual renewals up to (5) five years. PERS reserves the right to amend additional years of service. End of Scope of Work Page 5 of 18 Questions and Requests All questions and requests for clarification of this RFQ must be submitted in writing by email to the above listed Authorized Representative, and must be received no later than March 12, 2026, at 4pm PST. When appropriate, as determined by the Authorized Representative in its sole discretion, revisions, substitutions, or clarification of this RFQ will be sent electronically. RFQ Response Submittal Responses must be received on or before the Offer Due Date and Time. All submissions must be emailed only to the Authorized Representative listed above. PERS may extend the Offer Due Date when it is in the best interest of the agency. The agency reserves the right to reject all offers and/or to cancel this RFQ if it is in the best interest of the agency. Submission Checklist ➢ Include the completed Pricing Sheet (Attachment # 1). ➢ Include the completed Security Certification (Attachment # 3). ➢ Include the completed Certified Office Inclusion & Diversity Form (Attachment # 5, if applicable). ➢ Include the End User License Agreement ➢ Include any Cloud Service Agreements ➢ Include any Maintenance and Support Agreement ➢ Please note: PERS reserves the right to ask for references Submitted Responses Subject to Disclosure as Public Records If Offeror believes any of its Offer is exempt from disclosure under Oregon Public Records Law (ORS 192.311 through 192.478), Offeror shall submit a fully redacted version of its Offer, clearly identified as the redacted version. If an Offeror includes information and data with its submitted Quote that Offeror regards as proprietary, privileged, or otherwise confidential; Offeror must identify such information in a separate document submitted with its Quote and provide a redacted submission along with the original submission. Otherwise, State will assume that Offeror consents to public disclosure of the original submission. Page 6 of 18 Security Requirements and GovRAMP Eligibility The successful Proposer ’s Solution must meet all hosting and security requirements which include:

• Compliance with Oregon’s Statewide Information Security Plan and Oregon’s Statewide

Information Technology Control Standards, found online at: Enterprise Information Services : Guidance for State Agencies : Cyber Security Services : State of Oregon.

• Security controls that meet or exceed National Institute of Standards and Technology (NIST)

Special Publication 800 -53 (revision 5 or more recent version) [“Moderate” / “High”] controls. This is equivalent to GovRAMP Impact Level ([Moderate/High]).

• In lieu of submitting a completed Statewide Security Standards Spreadsheet Attachment # 3,

Proposer may provide one of the following to demonstrate compliance with Oregon’s Information Technology Control Standards:

• Proof of current GovRAMP Authorized status (Ready, Provisionally Authorized, or

Authorized) in the form of a GovRAMP Letter, or

• Documentation of a valid GovRAMP Security Snapshot Score.

RFQ Evaluation & Criteria RFQ submissions will be reviewed to determine if all requirements have been met. Those meeting the requirements will be evaluated to determine the “Best Value” for the agency. “Best Value” is based solely on the evaluators’ determination of what best meets the needs of the agency, price, and other factors such as: experience, expertise, availability, and resource capacity will be considered. The Best Value Analysis is planned to evaluate all proposed products that meet the business and technical requirements. We will use the following criteria in the decision process:

• Approach, Methodology & Schedule
• Consultant Experience
• Personnel Qualifications & Experience
• Adoption & Training
• Cost
• Solution Demonstration
• Meets solution requirements

Page 7 of 18 Award The Offeror with the most advantageous submission will be awarded a contract. PERS will negotiate contract terms, conditions, Statement of Work, and other agreements such as licensing, maintenance, and support with the successful offeror. The awarded vendor will need to register in the PERS portal for goods and services, OregonBuys. This portal is used for procurement and vendor payment as well. PERS asks that you review the link below to register: https://oregonbuys.gov/bso/view/login/login.xhtml Protested Award An Affected Offeror will have 7 calendar days from the date of the Intent to Award notice to file a Written protest. An Offeror is an Affected Offeror only if the Offeror would be eligible for Contract award in the event the protest was successful and is protesting for one or more of the following reasons as specified in ORS 279B.410:

• All higher-ranked Offers are non-Responsive.
• PERS has failed to conduct an evaluation of Offers in accordance with the criteria or

process described in the RFQ.

• PERS abused its discretion in rejecting the protestor’s Offer as non-Responsive.
• PERS’ evaluation of Offer or determination of award otherwise violates the terms of the

Participating Addenda. Protests must:

• Be delivered to the RFQ contact via email or hard copy
• Reference the RFQ number
• Identify Offeror’s name and contact information
• Be signed by an Authorized Representative
• Specify the grounds for the protest
• Be received within 7 calendar days of the Intent to Award notice

Response to Protest. PERS will address all protests submitted in a reasonable time and will issue a Written decision to the respective Offeror. Protests that do not include the required information prescribed in this Section may not be considered by PERS. Certification Office for Business Inclusion & Diversity (COBID) Participation Pursuant to Oregon Revised Statute (ORS) Chapter 200, and as a matter of commitment, Agency encourages the participation of minority, women, and emerging small business enterprises in all contracting opportunities. Agency also encourages joint ventures or subcontracting with minority, women, and emerging small business enterprises. If the contract resulting from this RFQ provides subcontracting opportunities, the successful Proposer may be required to submit a completed COBID Outreach Plan prior to execution. Page 8 of 18 ------------------------------------------------------------------------------------------------------------------------------ RFQ Attachments that follow, begin on the next page. By such reference, the following seven (6) attachments and their respective content are incorporated into this RFQ. ➢ Attachment # 1, Pricing Sheet ➢ Attachment # 2, Security Frameworks and Controls ➢ Attachment # 3, Security Certification ➢ Attachment # 4, Information Security Policies ➢ Attachment # 5, Certified Office Inclusion & Diversity Form (if applicable) ➢ Attachment # 6, Insurance Requirements Page 9 of 18 Attachment # 1 PERS-RFQ # 26002 RFQ Pricing Sheet The Offeror agrees to provide the services described in the statement of work for this RFQ, for the following sums. Please attach a descriptive schedule of licensing, integration, and user fees. Description of Software/Licenses/Fees/Cloud Hosting and Back-up, Storage, Add- on or Modules Fees Part # Qty Cost per User Licensing and Support Installation, Configuration and Data Migration Services Training Maintenance/Support Services; Ongoing Services; Customer Service and Help Desk, including upgrades, if any. Number of Months Price Annual Support Package (includes ______) 12 2-Year Support Package (includes______) 24 3-Year Support Package (includes______) 36 4-Year Support Package (includes______) 48 5-Year Support Package (includes______) 60 RFQ Submittal prepared by:__________________________________________ Title: ____________________________________________________________ Address: _________________________________________________________ Phone #: _________________________________________________________ Email Address: ____________________________________________________ Authorized Signature:_______________________________________________ Page 10 of 18 Attachment # 2 PERS-RFQ # 26002 Security Frameworks and Controls Instructions (if requested): respond to the numbered items below with a security narrative and/or citation of the specific Provider policies utilized to support the following controls. If that control is not addressed or is not applicable, please note within the security narrative. Controls Requirements: A. NIST SP 800-63-3 1. Describe how the proposed solution / services support these Assurance Levels

• Identity Assurance Level (IAL)

o IAL2: Evidence supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with this real-world identity. The proposed solution(s) shall support IAL2.

• Authenticator Assurance Level (AAL)

o AAL2 provides high confidence that the claimant controls authenticator(s) bound to the subscriber’s account. Proof of possession and control of two distinct authentication factors is required through secure authentication protocol(s). The proposed solution(s) shall support AAL2. B. NIST CSF 1.1: 1. Describe how the identities and credentials issued by the Provider to the customer for the product or service address this control.

• PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and

audited for authorized devices, users, and processes. o NIST SP 800-53 Rev. 5 controls AC-1, AC-2, IA-1, IA-2, IA-3, IA-4, IA-5, IA-6, IA-7, IA-8, IA-11 2. Describe how the identities and credentials issued by the Provider to the customer for the product or service address this control.

• PR.AC-4: Access permissions and authorizations are managed, incorporating the

principles of least privilege and separation of duties. o NIST SP 800-53 Rev. 5 controls AC-1, AC-2, AC-3, AC-5, AC-6, AC-14, AC-16 3. Describe how the Provider’s internal security controls follow industry best security practices, and by extension protect the customer.

• PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor,

multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks) Page 11 of 18 o NIST SP 800-53 Rev. 5 controls AC-7, AC-8, AC-11, AC-12, AC-14, IA-1, IA-2, IA-3, IA-4, IA-5, IA-8, IA-11 C. NIST SP 800-53 Rev. 5 / Oregon Statewide Information and Cyber Security Standards 1. Describe how the Provider’s internal security controls support how the AC – Access Control family of controls are met, ensuring to specifically address the controls listed below:

• AC-1: Access Control Policy and Procedures, AC-2: Account Management, AC-

3: Access Enforcement, AC-6: Least Privilege, AC-7: Unsuccessful Logon Attempts, AC-8: System Use Notification, AC-11: Device Lock, AC-12: Session Termination, AC-14: Permitted Actions without Identification or Authentication, and AC-19: Access Control for Mobile Devices. 2. Describe how the Provider’s internal security controls support how AT – Awareness and Training family of controls are met. 3. Describe how the Provider’s internal security controls support how AU – Audit and Accountability family of controls are met, ensuring to specifically address the controls listed below:

• AU-2: Event Logging, AU-3: Content of Audit Records, AU-4: Audit Log

Storage Capacity, AU-5: Response to Audit Logging Process Failures, AU-6: Audit Record Review, Analysis, and Reporting, AU-7: Audit Record Reduction and Report Generation, AU-8: Time Stamps, AU-9: Protection of Audit Information, AU-11: Audit Record Retention, AU-12: Audit Record Generation, and AU-16: Cross-Organizational Audit Logging. 4. Describe how the Provider’s internal security controls support how the CA – Assessment, Authorization, and Monitoring family of controls are met. 5. Describe how the Provider’s internal security controls support how CM – Configuration Management family of controls are met. 6. Describe how the Provider’s internal security controls support how CP – Contingency Planning family of controls are met, ensuring to specifically address the controls listed below:

• CP-1: Contingency Planning Policy and Procedures, CP-2: Contingency Plan,

CP-3: Contingency Training, CP-4: Contingency Plan Testing, CP-6: Alternate Storage Site, CP-7: Alternate Processing Site, CP-8: Telecommunications Services, CP-9: System Backup, and CP-10: System Recovery and Reconstruction. Page 12 of 18 7. Describe how the Provider’s internal security controls support how IA – Identification and Authentication family of controls are met, ensuring to specifically address the controls listed below:

• IA-1: Identification and Authentication Policy and Procedures, IA-2:

Identification and Authentication (Organizational Users), IA-3: Device Identification and Authentication, IA-4: Identifier Management, and IA-5: Authenticator Management. 8. Describe how the Provider’s internal security controls support how IR – Incident Response family of controls are met, ensuring to specifically address the controls listed below:

• IR-1: Incident Response Policy and Procedures, IR-2: Incident Response

Training, IR-3: Incident Response Testing, IR-4: Incident Handling, IR-5: Incident Monitoring, IR-6: Incident Reporting, IR-7: Incident Response Assistance, IR-8: Incident Response Plan, and IR-9: Information Spillage Response. 9. Describe how the Provider’s internal security controls support how the MA - Maintenance family of controls are met. 10. Describe how the Provider’s internal security controls support how the MP – Media Protection family of controls are met. 11. Describe how the Provider’s internal security controls support how the PE – Physical and Environmental Protection family of controls are met. 12. Describe how the Provider’s internal security controls support how the PL - Planning family of controls are met. 13. Describe how the Provider’s internal security controls support how the PM – Program Management family of controls are met. 14. Describe how the Provider’s internal security controls support how the PS – Personnel Security family of controls are met, ensuring to specifically address the controls listed below:

• PS-1: Personnel Security Policy and Procedures, PS-3: Personnel Screening, PS-

4: Personnel Termination, PS-5: Personnel Transfer, and PS-7: External Personnel Security. 15. Describe how the Provider’s internal security controls support how the PT – PII Processing and Transparency family of controls are met. 16. Describe how the Provider’s internal security controls support how the RA – Risk Assessment family of controls are met, ensuring to specifically address the controls listed below: Page 13 of 18

• RA-1: Risk Assessment Policy and Procedures, RA-2: Security Categorization,

RA-3: Risk Assessment, RA-5: Vulnerability Monitoring and Scanning, RA-7: Risk Response, and RA-9: Criticality Analysis 17. Describe how the Provider’s internal security controls support how the SA – System and Services Acquisition family of controls are met. 18. Describe how the Provider’s internal security controls support how the SC – System and Communications Protection family of controls are met. 19. Describe how the Provider’s internal security controls support how the SI – System and Information Integrity family of controls are met. 20. Describe how the Provider’s internal security controls support how the SR - Supply Chain Risk Management family of controls are met, ensuring to specifically address the controls listed below:

• SR-6: Supplier Assessments and Reviews and SR-8: Notification Agreements

Assessment Requirements: 1. Describe the routine assessments conducted. 2. Describe the certifications maintained.

• Oregon’s Statewide Information and Cyber Security Standards,

https://www.oregon.gov/eis/cyber-security-services/Documents/eis-css-statewide- information-technology(IT)-control-standards.pdf are based on NIST 800.53. The proposed Provider must annually provide the SOC 2 Type 2 assessment report demonstrating how it and the solution / services (including applications and application environments) it is proposing adhere to NIST 800.53 r5 at the moderate-impact level.

• The proposed Provider must provide routine third-party penetration test reports for the

solution / services it is providing. Page 14 of 18 Attachment # 3 PERS-RFQ # 26002 Security Certification As applicable, Offer must contain a statement demonstrating Offeror's agreement that if awarded a Contract: a. Offeror and Offeror's staff with access to State systems, facilities, data, and confidential information will submit to all security checks requested by DAS or Agency, which may include any combination of fingerprinting, Oregon Law Enforcement Data Systems (“LEDS”) and Federal Bureau of Investigation Criminal Justice Information Services (“FBI CJIS”) background checks; and b. Upon request, Offeror and Offeror’s staff will sign a non-disclosure agreement for any/all data or information received or processed on its equipment from the State of Oregon; and c. Offeror will protect at all times State of Oregon sensitive material; and d. Offeror will meet or exceed the State of Oregon’s security standards as set forth in the following: a. Privileged Access Monitoring and Reporting viewable at: https://www.oregon.gov/das/Policies/107-004-140.pdf b. Statewide Information and Cyber Security Standards viewable at: c. https://www.oregon.gov/eis/cyber-security-services/Documents/eis-css-statewide- information-security-program-plan.pdf e. Statewide Cloud Computing policy: https://www.oregon.gov/das/policies/107- 004-150.pdf f. Oregon’s Statewide Information Security Standards, found online at: https://www.oregon.gov/das/OSCIO/Pages/SecurityGuidance.aspx, including security controls that meet or exceed “Moderate” security controls in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53. g. Oregon Statewide Information Technology Policies: www.oregon.gov/das/Pages/policies.aspx#IT. h. The Oregon Consumer Information Protection Act (OCIPA), ORS 646A.600 through 646A.628, to the extent applicable. For purposes of OCIPA, Proposer is a vendor. As the vendor awarded, I certify that my company shall comply with all applicable PERS security requirements and policies as stated above and included in the Attachments: Authorized Person: _________________________________________________ Title: ____________________________________________________________ Authorized Signature: _______________________________________________ Page 15 of 18 Attachment # 4 PERS-RFQ # 26002 Security Section for Professional Services Procurement INFORMATION SECURITY POLICIES PERS Information Security Policies 1.10.01.01.005.POL.p df 1.10.01.01.003.POL .pdf 1.10.01.01.002.POL .pdf 1.10.01.01.001.PRO .pdf 1.10.01.01.000.POL.p df 3.01.06.01.001.POL .pdf 3.01.05.01.001.POL .pdf 3.00.06.02.003.POL .pdf 3.00.06.01.001.POL .pdf 1.10.01.01.009.POL .pdf 1.10.01.01.008.POL .pdf 1.10.01.01.019.POL. pdf 1.10.01.01.014.POL. pdf 1.10.01.01.015.POL. pdf 1.10.01.01.023.STD. pdf 1.10.01.01.023.POL. pdf 1.10.01.01.002.STD. pdf 1.10.01.01.003.STD. pdf 1.10.01.01.005.STD. pdf 1.10.01.01.015.STD. pdf 1.10.01.01.008.STD. pdf 1.10.01.01.019.STD. pdf Enterprise Information Services (EIS) – Cyber Security Services (CSS) https://www.oregon.gov/das/OSCIO/Pages/Security.aspx Statewide Information Security Standards State of Oregon: OSCIO - Security general guidance Page 16 of 18 Attachment # 5 PERS-RFQ # 26002 Certified Office Inclusion & Diversity Form SUBMIT THIS FORM WITH YOUR RESPONSE Contractor Information Company Legal Name: Federal Tax ID#: Address: Contact Person: Email: Phone: Fax: By signing this Cover Page, Contractor agrees to comply with all requirements, specifications and terms and conditions included with this Request for Quote (including all Attachments and Addenda, if any) and all specifications, warranties, etc. included in its submitted response. Contractor certifies, under penalty of perjury, that they are not in violation of any tax laws described in ORS 305.385(6) and (7). Authorized Signature: Printed Name: Title: Date: Complete if Applicable: CERTIFIED BUSINESS FIRM PARTICIPATION (ORS 200.005 to 200.075; ORS 200.160 to 200.200; ORS 279A.105) NOTE: This section is for information purposes only and shall not be considered in the evaluation of the bid or award of a contract. Type of Certification Certification Number Certified in Oregon? Disadvantaged Business Enterprise (DBE) Minority Business Enterprise (MBE) Women Business Enterprise (WBE) Emerging Small Business (ESB) Page 17 of 18 Attachment # 6 PERS-RFQ # 26002 INSURANCE REQUIREMENTS The vendor, prior to performing under this Contract, shall maintain insurance in full force and at its own expense throughout the duration of this Contract, as required by any extended reporting period or tail coverage requirements, and all warranty periods that apply. Vendor shall obtain the following insurance from insurance companies or entities that are authorized to transact the business of insurance and issue coverage in the State of Oregon and that are acceptable to Agency. Coverage shall be primary and non-contributory with any other insurance and self- insurance, with the exception of Professional Liability and Workers’ Compensation. Vendor shall pay for all deductibles, self-insured retention, and self-insurance, if any. Commercial General Liability Contractor shall obtain, at contractor’s expense, and keep in effect during the term of this contract, commercial general liability insurance covering bodily injury and property damage in a form and with coverages that are satisfactory to the state. This insurance shall include personal and advertising injury liability, products and completed operations and contractual liability coverage for the indemnity provided under this contract. Coverage shall be written on an occurrence basis in an amount to not be less than $1,000,000 per occurrence. Annual aggregate limit shall not be less than $2,000,000. Professional Liability Contractor shall obtain, at Contractor’s expense, and keep in effect during the term of this Contract, Professional Liability Insurance covering any damages caused by an error, omission or any negligent acts related to the services to be provided under this contract by the Contractor and Contractor’s subcontractors, agents, officers, and employees in an amount of not less than $1,000,000 per occurrence, incident, or claim. Annual aggregate limit shall not be less than $2,000,000. If coverage is on a claims made basis, then either an extended reporting period of not less than 24 months shall be included in the Professional Liability insurance coverage, or the Contractor shall maintain either tail coverage or continuous claims made liability coverage, provided the effective date of the continuous claims made coverage is on or before the effective date of this Contract, for a minimum of 24 months following the later of (i) Contractor’s completion and Agency’s acceptance of all Services required under this Contract, or, (ii) Agency or Contractor termination of contract, or, iii) The expiration of all warranty periods provided under this Contract. Network Security and Privacy Liability Contractor shall provide Network Security and Privacy Liability Insurance for the duration of this Contract and for the period of time in which Contractor (or its business associates or subcontractor(s)) maintains, possesses, stores, or has access to Agency or client data, whichever is longer, with a combined single limit of not less than $1,000,000 per claim or incident. This insurance must include coverage for third party claims and for losses, thefts, unauthorized disclosures, access or use of Agency or client data (which may include, but is not limited to, Page 18 of 18 Personally Identifiable Information (“PII”), Payment Card Data and Protected Health Information (“PHI”)) in any format, including coverage for accidental loss, theft, unauthorized disclosure access or use of Agency data. Additional Insured All liability insurance, except for Workers’ Compensation, Professional Liability, and Network Security and Privacy Liability, required under this Contract must include an additional insured. Certificate(s) and Proof of Insurance Vendor shall provide to Agency Certificate(s) of Insurance for all required insurance before delivering any Goods and performing any Services required under this Contract. The Certificate(s) shall list the State of Oregon, its officers, employees, and agents as a Certificate holder and as an endorsed Additional Insured. The Certificate(s) shall also include all required endorsements or copies of the applicable policy language affecting coverage required by this Contract. If excess/umbrella insurance is used to meet the minimum insurance requirement, the Certificate of Insurance must include a list of all policies that fall under the excess/umbrella insurance. As proof of insurance Agency has the right to request copies of insurance policies and endorsements relating to the insurance requirements in this Contract. Notice of Change or Cancellation The Vendor or its insurer must provide at least 30 days’ written notice to Agency before cancellation of, material change to, potential exhaustion of aggregate limits of, or non-renewal of the required insurance coverage(s). Insurance Requirement Review Vendor agrees to periodic review of insurance requirements by Agency under this Contract and to provide updated requirements as mutually agreed upon by Vendor and Agency. State Acceptance All insurance providers are subject to Agency acceptance. If requested by Agency, Vendor shall provide complete copies of insurance policies, endorsements, self-insurance documents and related insurance documents to Agency’s representatives responsible for verification of the insurance coverages required.